Advanced Operating Systems, CSci555
Download
Report
Transcript Advanced Operating Systems, CSci555
USC CSci530
Computer Security Systems
Lecture notes
Fall 2006
Dr. Clifford Neuman
University of Southern California
Information Sciences Institute
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Administration
http://ccss.usc.edu/530
• Mid-term grading is slipping, most
questions graded but graders still
working on others.
– Expect grades out this weekend.
• Assignment 3 on site by lecture
• All proposal responded to by
time of lecture.
• Additional readings to be posted tonight.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CSci530:
Security Systems
Lecture 11 – November 03, 2006
Intrusion Detection and Response
Dr. Clifford Neuman
University of Southern California
Information Sciences Institute
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
FROM PREVIOUS LECTURE
Intrusion Types
• External attacks
– Password cracks, port scans,
packet spoofing, DOS attacks
• Internal attacks
– Masqueraders, Misuse of privileges
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
FROM PREVIOUS LECTURE
Attack Stages
• Intelligence gathering
– attacker observes the system to determine
vulnerabilities (e.g, port scans)
• Planning
– decide what resource to attack and how
• Attack execution
– carry out the plan
• Hiding
– cover traces of attack
• Preparation for future attacks
– install backdoors for future entry points
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
FROM PREVIOUS LECTURE
Intrusion Detection
• Intrusion detection is the problem of
identifying unauthorized use, misuse,
and abuse of computer systems by
both system insiders and external
penetrators
• Why Is IDS Necessary?
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
FROM PREVIOUS LECTURE
IDS types
• Detection Method
– Knowledge-based (signature-based ) vs
behavior-based (anomaly-based)
• Behavior on detection
– passive vs. reactive
• Deployment
– network-based, host-based and
application -based
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
FROM PREVIOUS LECTURE
Components of ID systems
• Collectors
– Gather raw data
• Director
– Reduces incoming traffic and finds
relationships
• Notifier
– Accepts data from director and takes
appropriate action
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
FROM PREVIOUS LECTURE
Advanced IDS models
• Distributed Detection
– Combining host and network
monitoring (DIDS)
– Autonomous agents
(Crosbie and Spafford)
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Intrusion Response
• Intrusion Prevention
– (marketing buzzword)
• Intrusion Response
– How to react when an intrusion is
detected
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Possible Responses
– Notify administrator
– System or network lockdown
– Place attacker in controlled environment
– Slow the system for offending processes
– Kill the process
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Phase of Response
(Bishop)
– Preparation
– Identification
– Containment
– Eradication
– Recovery
– Follow up
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
PREPARATION
• Generate baseline for system
– Checksums of binaries
▪ For use by systems like tripwire
• Develop procedures to follow
• Maintain backups
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
IDENTIFICATION
• This is the role of the ID system
– Detect attack
– Characterize attack
– Try to assess motives of attack
– Determine what has been affected
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CONTAINMENT
• Passive monitoring
– To learn intent of attacker
– Learn new attack modes so one can defend
against them later
• Constraining access
– Locking down system
– Closing connections
– Blocking at firewall, or closer to source
• Combination
– Constrain activities, but don’t let attacker know
one is doing so (Honeypots, Jail).
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
ERADICATION
• Prevent attack or effects of attack from
recurring.
– Locking down system (also in
containment phase)
– Blocking connections at firewall
– Isolate potential targets
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
RECOVERY
• Restore system to safe state
– Check all software for backdoors
– Recover data from backup
– Reinstall but don’t get re-infected before
patches applied.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
FOLLOWUP
• Take action against attacker.
– Find origin of attack
• Notify other affected parties
– Some of this occurs in earlier
phases as well
• Assess what went wrong and
correct procedures.
• Find buggy software that was
exploited and fix
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Limitations of Monolithic ID
•
•
•
•
Single point of failure
Limited access to data sources
Only one perspective on transactions
Some attacks are inherently distributed
– Smurf
– DDoS
• Conclusion: “Complete solutions” aren’t
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Sharing Information
• Benefits
– Increased robustness
– More information for all components
– Broader perspective on attacks
– Capture distributed attacks
• Risks
– Eavesdroppers, compromised
components
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Sharing Information
• Communication risks can be
resolved cryptographically (at least
in part)
• Defining appropriate level of
expression
– Efficiency
– Expressivity
– Specificity
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CIDF
• Common Intrusion Detection
Framework
– Collaborative work of DARPAfunded projects in late 1990s
– Task: Define language, protocols
to exchange information about
attacks and responses
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL
• Common Intrusion Specification
Language
– Conveys information about attacks
using ordinary English words
– E.g., User joe obtains root access
on demon.example.com at 2003
Jun 12 14:15 PDT
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL
• Problem: Parsing English is hard
• S-expressions (Rivest)
– Lisp-like grouping using parentheses
– Simplest examples: (name value) pairs
(Username ‘joe’)
(Hostname ‘demon.example.com’)
(Date ‘2003 Jun 12 14:15 PDT’)
(Action obtainRootAccess)
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL
• Problems with simple pairs
– Confusion about roles played by entities
▪ Is joe an attacker, an observer, or a
victim?
▪ Is demon.example.com the source or
the target of the attack?
– Inability to express compound events
▪ Can’t distinguish attackers in multiple
stages
• Group objects into GIDOs
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL: Roles
• Clarifies roles identified by descriptors
(Attacker
(Username ‘joe’)
(Hostname ‘carton.example.com’)
(UserID 501)
)
(Target
(Hostname ‘demon.example.com’)
)
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL: Verbs
• Permit generic description of actions
(Compromise
(Attacker …)
(Observer
(Date ‘2003 Jun 12 14:15 PDT’)
(ProgramName ‘GrIDSDetector’)
)
(Target …)
)
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL: Conjunctions
• Permit expression of compound
events
– HelpCause: Indicates partial
causality
– InOrder: Indicates sequencing
– AsAWayOf: Indicates multiple
views of the same attack
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL: Open S-expressions
• Lambda calculus-like macros
(def CompromiseHost $1 $2 $3
(Compromise
(Attacker (Username $1))
(Target (Hostname $2))
(Observer (Date $3))
)
)
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CISL: Open S-expressions
• Originally defined to reduce payload
• Also usable for database queries
– Look for all records matching
‘CompromiseHost’
– Difficulty: Store expanded form or
macro form in database?
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Testing CISL
• CISL is expressive, leading to questions
– Is it ambiguous?
▪ Does a given GIDO have more than
one interpretation?
– Is it overbuilt?
▪ Is there more than one GIDO that
expresses the same thing (aside from
reordering)?
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Testing CISL
• GIDO Bake-offs
– June 1999: Demonstration of simple
corroboration
– October 2000: Semantic testing
▪ Group A: Devised
scenarios/questions
▪ Group B: Only knows scenarios,
creates GIDOs
▪ Group C: Only knows questions,
receives GIDOs
▪ Three levels: Easy, medium, gnarly
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Lessons from CISL
• Lessons from testing,
standardization efforts
– Heavyweight
– Not ambiguous, but too many
ways to say the same thing
– Mismatch between what CISL can
say and what detectors/analyzers
can reliably know
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Enter IDWG
• Intrusion Detection Working Group
– WG of Internet Engineering Task
Force
– Chief product: IDMEF
▪ Intrusion Detection Message
Exchange Format
▪ Driven by many CIDF
participants
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
IDMEF
• XML-based; defines DTD for ID
• Reduced vocabulary
– Roles reduced to analyzer (observer),
source, target
– Extra information for identifying
exploits, buffer overflows
– Provision for indicating that previous
alerts are related
– No provision for response prescriptions
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
IDWG Status
• IDMEF (and other IDWG drafts)
– Submitted to IESG for
advancement to IETF Draft
Standard (as standards-track RFC)
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
CSci530:
Security Systems
Lecture 12 – November 10, 2006
The Human Element
(intro slides)
Dr. Clifford Neuman
University of Southern California
Information Sciences Institute
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
The Human is the Weak Point
• Low bandwidth used between computer
and human.
– User can read, but unable to process
crypto in head.
– Needs system as its proxy
– This creates vulnerability.
• Users don’t understand system
– Often trust what is displayed
– Basis for phishing
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
The Human is the Weak Point(2)
• Humans make mistakes
– Configure system incorrectly
• Humans can be compromised
– Bribes
– Social Engineering
• Programmers often don’t consider
the limitations of users when
designing systems.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Some Attacks
• Social Engineering
– Phishing – in many forms
• Mis-configuration
• Carelessness
• Malicious insiders
• Bugs in software
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Addressing the Limitations
• Personal Proxies
– Smartcards or devices
• User interface improvements
– Software can highlight things that it thinks are
odd.
• Delegate management
– Users can rely on better trained entities to
manage their systems.
• Try not to get in the way of the users legitimate
activities
– Or they will disable security mechanisms.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Much More Next Week
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE
Current Event
Bot nets likely behind jump in spam
The Register (Tuesday 31st October 2006)
A significant rise in the global volume of spam in the past two months
has security analysts worried that bot nets are increasingly being used
by spammers to stymie network defenses erected to curtail bulk email.
Symantec, the owner of SecurityFocus, has found that average spam
volume has increased almost 30 percent for its 35,000 clients in the last
two months. Spam black list maintainer Total Quality Management
Cubed has seen a 450 percent increase in spam in two months.
While bulk emailers have, in the past, sent unwanted messages from a
single server, increasingly the spam emanates from networks of
compromised PCs, known as bot nets. The level of junk email has
increased almost in lock step with the number of compromised
systems used for spam, said David Hart, the administrator for Total
Quality Management.
Many bot herders - as the criminals that infect computers with bot
software are named - sell or rent bot nets to others to use, and
spammers increasingly seem to be among their customers.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE